From d6d7458d6829328dba1f8b060755c728d0aeada3 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Wed, 24 Apr 2019 00:37:59 +0300
Subject: [PATCH] Fix control plane setup without a hardcoded key (#4610)

---
 .../tasks/kubeadm-secondary-experimental.yml  | 18 +++++++++++++++
 .../kubernetes/master/tasks/kubeadm-setup.yml | 22 +++++++++----------
 .../templates/kubeadm-config.v1alpha3.yaml.j2 |  2 +-
 .../templates/kubeadm-config.v1beta1.yaml.j2  |  2 +-
 4 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
index f7f098d35..b204dbba0 100644
--- a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
@@ -25,6 +25,24 @@
     port: "{{kubeadm_discovery_address.split(':')[1]}}"
     timeout: 180
 
+
+- name: Upload certificates so they are fresh and not expired
+  command: >-
+    {{ bin_dir }}/kubeadm init phase
+    --config {{ kube_config_dir}}/kubeadm-config.yaml
+    upload-certs --experimental-upload-certs
+    {% if kubeadm_certificate_key is defined %}
+    --certificate-key={{ kubeadm_certificate_key }}
+    {% endif %}
+  run_once: yes
+  register: kubeadm_upload_cert
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Parse certificate key if not set
+  set_fact:
+    kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
+  when: kubeadm_certificate_key is undefined
+
 - name: Joining control plane node to the cluster.
   command: >-
     {{ bin_dir }}/kubeadm join
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 683c9339a..6c27c9e03 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -114,13 +114,23 @@
 - name: set kubeadm certificate key
   set_fact:
     kubeadm_certificate_key: "{{ item | regex_search('--certificate-key ([^ ]+)','\\1') | first }}"
-  with_items: "{{ (hostvars['kube-master'][0]['kubeadm_init']|default({'stdout_lines': []}))['stdout_lines'] }}"
+  with_items: "{{ hostvars[groups['kube-master'][0]]['kubeadm_init'].stdout_lines | default([]) }}"
   when:
     - kubeadm_version is version('v1.14.0', '>=')
     - kubeadm_certificate_key is not defined
     - item | trim | match('.*--certificate-key .*')
     - hostvars['kube-master'][0]['kubeadm_init']['stdout_lines'] is defined
 
+- name: Create hardcoded kubeadm token for joining nodes with 24h expiration (if defined)
+  shell: >-
+    {{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token delete {{ kubeadm_token }} || :;
+    {{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create {{ kubeadm_token }}
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - kubeadm_token is defined
+  tags:
+    - kubeadm_token
+
 - name: Create kubeadm token for joining nodes with 24h expiration (default)
   command: "{{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create"
   register: temp_token
@@ -139,16 +149,6 @@
   tags:
     - kubeadm_token
 
-- name: Create hardcoded kubeadm token for joining nodes with 24h expiration (if defined)
-  shell: >-
-    {{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token delete {{ kubeadm_token }} || :;
-    {{ bin_dir }}/kubeadm --kubeconfig /etc/kubernetes/admin.conf token create {{ kubeadm_token }}
-  when:
-    - inventory_hostname == groups['kube-master']|first
-    - kubeadm_token is defined
-  tags:
-    - kubeadm_token
-
 - name: kubeadm | Initialize other masters (experimental control plane)
   include: kubeadm-secondary-experimental.yml
   when: kubeadm_control_plane
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
index 01252f661..0ee50fa83 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -253,7 +253,7 @@ clientConnection:
  burst: {{ kube_proxy_client_burst }}
  contentType: {{ kube_proxy_client_content_type }}
  kubeconfig: {{ kube_proxy_client_kubeconfig }}
- qps: {{ kube_proxy_client_kubeconfig }}
+ qps: {{ kube_proxy_client_qps }}
 clusterCIDR: {{ kube_pods_subnet }}
 configSyncPeriod: {{ kube_proxy_config_sync_period }}
 conntrack:
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
index c9341b592..f8b13275d 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -261,7 +261,7 @@ clientConnection:
  burst: {{ kube_proxy_client_burst }}
  contentType: {{ kube_proxy_client_content_type }}
  kubeconfig: {{ kube_proxy_client_kubeconfig }}
- qps: {{ kube_proxy_client_kubeconfig }}
+ qps: {{ kube_proxy_client_qps }}
 clusterCIDR: {{ kube_pods_subnet }}
 configSyncPeriod: {{ kube_proxy_config_sync_period }}
 conntrack:
-- 
GitLab